Tags

The FaintedHeartnessClub Tech Support Scam

I was casually browsing Scammer.info the other day, and I stumbled across a post about a fake pop up pushing the usual round of tech support scam. I did some poking around, and what I found was a vast network of popups enabling the perpetrators to scam their victims on a large-scale.

In this article, we publish the phone numbers associated with the call centre running the scam. As we see new fake ads and fresh phone numbers showing up each day, we also publish the IoCs associated with this campaign.

Our goal is to help the Scambaiting and Infosec community identify any future popups and phone numbers belonging to this particular group.

Lack of Attribution

The threat actors behind this campaign are yet to be identified. Until then, we call this group as FaintedHeartnessClub after one of the domain names hosting a fake pop up.

What connects the popups together is that they all claim that the computer was infected with a virus, and the victim has to call Apple or Microsoft to fix the non-existent problem.

The Machinery Behind the Popups

The scammers behind the campaign have registered dozens of domain names and phone numbers to ensure their campaign is continuous even if some of them are taken down.

Most of the domain names are registered under the new gTLDs introduced a few years ago, such as .club, .space and .site.

Phone Numbers:

+1 800 404 8453

+1 833 273 7078

+1 833 275 7106

+1 844 284 8623

+1 844 516 4597

+1 844 550 2646

+1 855 541 4348

+1 855 635 7796

+1 866 380 5162

+1 866 614 4470

+1 866 670 0656

+1 866 670 2474

+1 877 337 4804

+1 877 415 9017

+1 888 291 2703

+1 888 357 0413

+1 888 405 9781

+1 888 406 6714

+1 888 407 4054

+1 888 407 6521

+1 888 407 7898

+1 888 464 7172

+1 888 472 7985

+1 888 527 0471

+1 888 607 5144

+1 888 684 3605

+1 888 789 8122

+1 888 803 6072

+1 888 815 6016

+1 888 886 3810

+1 888 899 0628

+61 1800 581 484

+61 885 129 919

Domain Names:

adultsexvideos.site

agglutinogenic.site

analogmustang.top

anthropoidal.space

apptransfer.xyz

besomjunior.top

bnosc.ml

bravoleathers.info

campbellsville.xyz

certariate.com

chromatography.website

coessentiality.space

cosmopold.com

degenerateness.website

devolatilizing.space

differended.com

differentiated.website

disputatiously.host

dissault.com

diverticulitis.site

ec2-54-95-200-51.ap-northeast-1.compute.amazonaws.com

emphaticalness.xyz

exenteration.site

faintheartedness.club

freenofun.ml

glyceria-seleznyova.pw

incandescing.space

intensitometer.website

intercirculate.space

katar35.site

lemminglear.top

louverpaella.space

ludicrous-trowel.glitch.me

mswinscurruptfiles906.club

mswinscurruptfiles909.club

mswinscurruptfiles916.club

nhjk.njiuhbvgytfcdrxesz.ml

noncannibalistic.host

nonchannelized.pw

nonchaotically.site

nonconsumption.website

noncontroversial.icu

nondistillable.space

nonenlightened.space

nonextrinsical.pw

nonincreasable.site

nonspiritous.site

onlinewchatupport.online

operationalism.site

ostracizable.space

overgesticulated.icu

overpopulating.xyz

postdiagnostic.xyz

preengineering.pw

preobstruction.xyz

prestidigitation.host

protractedness.space

psychoanalysis.host

reproachableness.host

shanktiffin.space

skeptophylaxis.site

slave.ecomandap.com

subattenuation.xyz

subjudiciaries.site

sulphurously.site

superinscription.host

superoccipital.space

taskant.best

thermojunction.site

thirstlessness.site

ultradell.club

unbankableness.website

uncatholicised.host

uncircumcision.site

unisolationist.space

unoxygenized.space

unsuppressible.space

vasoconstrictionn.club

watcanyado.altervista.org

websocialpointxx.ga

IP addresses:

104.18.50.173

104.18.51.173

104.27.172.40

104.27.173.40

104.27.186.152

104.27.187.152

104.31.90.251

104.31.91.251

104.31.92.22

104.31.93.22

107.180.25.122

108.161.129.33

108.161.133.2

108.161.133.217

108.161.134.138

108.161.134.193

108.161.134.95

108.161.136.139

108.161.136.8

108.161.137.233

165.22.33.68

167.71.131.37

167.71.153.252

178.159.36.119

198.187.31.221

209.59.155.202

216.119.148.9

217.69.9.194

34.196.195.31

45.32.129.194

45.63.84.77

45.77.0.61

54.165.156.139

54.95.200.51

68.169.46.190

72.249.77.219

78.129.205.55

File Hashes:

935d308a79350b7db9582d8f94bcf43d06476756c38769b8f2834a8e661d53c5

fc59bbb18f923747b9cd3f3b23537ff09c5ad2fdfc1505a4800a3f269a234e65

4aad68d82aded862b31145843cc32ef9a22df711fb037d3b65b89ec07f55dbcb

8c1b8ce7a3367fd8d4f73c225e1f1bc6437da3516454e3763559d628f45a0426

212ccb37b78f3912936983485d706a9eba59f6fe986cd113d8eada54dc6a298a

0b6af8669bcb44139e6b60660b7b9adac600db2d7475cd97cf688e4eeaee2d2a

4eddf6472278344f86b06f29abf5c4558573264129b46a62b403d8c2db401f44

6ba55d0470741d4441a001e482f99264cbb3f4a43e4e98c958334839ee81ab0d

03da9d07362b0fbe8afb7ee92933cb5fb09ecf1660d4285a50d3f48b1ea6a996

8534415eb2e954341a5e1cf6d4dff503817a6a59868dc3762065c8d6b9e1382d

312c6606235f1ba63b2141b812fef5398536390a76c85f5ab8bcc35a7aa8737e

0589be7715d2320e559eae6bd26f3528e97450c70293da2e1e8ce45f77f99ab1

c362d950204cc8327016209a3246216efed7167cd92e02f754b963f49f793707

Google Analytics IDs:

UA-105553684-1

UA-134534485-1

UA-135188744-2

UA-141281465-1

UA-142663362-1

UA-77152316-11

UA-92855606-2

Background

The Federal Trade Commission (FTC) reports that people reported $55 million in loss to tech support scams in 2018. These scams usually start with a fake pop up or unsolicited phone call claiming that something is wrong with the victim's computer. The goal of the tech support scammers is to convince their victims to establish a remote desktop session with them. On these sessions, they diagnose non-existent computer problems, and each 'fix' costs hundreds of dollars to the victim. FTC says the mostly vulnerable group to tech support scams is the elderly.

To avoid tech support scams, FTC recommends to:

Not click on any links or call a number that pops up on your screen warning of a computer problem.

Hang up on unexpected calls from anyone who claims to be tech support.

Never give control of your computer or share passwords with anyone who contacts you.